US20090119742A1 - Methods for authenticating and authorizing a mobile device using tunneled extensible authentication protocol - Google Patents
Methods for authenticating and authorizing a mobile device using tunneled extensible authentication protocolDownload PDFInfo
- Publication number
- US20090119742A1 US20090119742A1US11/979,353US97935307AUS2009119742A1US 20090119742 A1US20090119742 A1US 20090119742A1US 97935307 AUS97935307 AUS 97935307AUS 2009119742 A1US2009119742 A1US 2009119742A1
- Authority
- US
- United States
- Prior art keywords
- access request
- user identifier
- eap
- determining
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034methodMethods0.000titleclaimsabstractdescription60
- 238000004891communicationMethods0.000claimsabstractdescription13
- 238000011156evaluationMethods0.000claimsabstractdescription9
- 230000001413cellular effectEffects0.000claimsdescription8
- 238000013475authorizationMethods0.000claimsdescription4
- 230000003068static effectEffects0.000abstractdescription3
- 238000004590computer programMethods0.000description11
- 230000008569processEffects0.000description6
- 238000012360testing methodMethods0.000description6
- 230000006870functionEffects0.000description5
- 238000010586diagramMethods0.000description4
- 238000013459approachMethods0.000description3
- 230000007246mechanismEffects0.000description2
- 238000010295mobile communicationMethods0.000description2
- 230000003287optical effectEffects0.000description2
- XQVWYOYUZDUNRW-UHFFFAOYSA-NN-Phenyl-1-naphthylamineChemical compoundC=1C=CC2=CC=CC=C2C=1NC1=CC=CC=C1XQVWYOYUZDUNRW-UHFFFAOYSA-N0.000description1
- 238000013500data storageMethods0.000description1
- 238000009434installationMethods0.000description1
- 238000012986modificationMethods0.000description1
- 230000004048modificationEffects0.000description1
- 238000012545processingMethods0.000description1
- 230000005641tunnelingEffects0.000description1
Images
Classifications
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/062—Pre-authentication
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
Definitions
- the present inventionrelates to mobile communications, and more particularly, to authenticating and authorizing a mobile device using tunneled EAP.
- Wi-Fi based hotspotscould be adjacent or distributed in cellular telephone networks.
- the mobile devicee.g., laptop computer
- the mobile devicecan move across networks.
- the service provider allowing access to its networkusually requires a mobile node and/or a mobile user to authenticate that it is entitled to access the network before it is granted network access.
- Authenticationis the process of identifying a device or user. For example, when logging on to a computer network, user authentication is commonly achieved using a username and password.
- Authenticationis distinct from authorization, which is the process of giving devices or individuals access to services and features based on their identity. Authentication merely ensures that an individual is who he or she claims to be, but does not address the access rights of the individual.
- a wireless networkgenerally includes many wireless nodes and users trying to gain access to a network.
- the primary means for controlling accessinclude network access servers (“NAS”) and authentication servers, such as authentication, authorization, accounting (AAA) servers.
- a NASwhich is also referred to as an access point, provides access to the network.
- the devices and usersconnect through an access point via some form of wireless connection (e.g. IEEE 802.1X) to obtain access to a network (e.g., the Internet).
- a local authentication serverwhich allows the user to authenticate the network and a user's home authentication server that authenticates the user.
- the authentication serversare typically RADIUS (Remote Authentication Dial-In User Service) or Diameter servers.
- EAPExtensible Authentication Protocol
- RADIUSInternet Engineering Task Force
- RADIUSRemote Authentication Dial In User Service
- RADIUSRemote Authentication Dial In User Service
- RAC 4072Diameter Extensible Authentication Protocol (EAP) Application, by the IETF, the disclosure of which is hereby incorporated by reference.
- EAP-TTLSExtended Authentication Protocol Tunneled Transport Layer Security
- PEAPProtected Extended Authentication Protocol
- Inner-User-IDis securely transmitted using the established TLS-encrypted channel.
- the foreign networkcan authenticate the user from the user information using an inner user authentication method (e.g. PAP(Password Authentication Protocol), CHAP(Challenge-handshake authentication protocol), EAP, MSCHAPv1 (Microsoft Challenge handshake authentication protocol) and MSCHAPv2).
- the authenticationcan be carried out either by a TLS-AAA (the TLS end point of the foreign network) or by a remote AAA/H.
- this inner user authentication methodtypically must be another EAP authentication method.
- EAP-TTLSFor further information about EAP-TTLS, see, Internet Draft EAP Tunneled TLS Authentication Protocol Version 0 (draft-funk-eap-ttls-v0), which is hereby incorporated by reference.
- PEAPInternet Draft PEAP (draft-josefsson-pppext-eap-tls-eap-06.txt), which is hereby incorporated by reference.
- the foreign networkIn the two-phase authentication protocols, such as those described above, the foreign network must know how to route user information to the user's home server. In prior art systems, routing is typically achieved using static routes configured based on generic information transmitted between the mobile the device and foreign network during the first phase of the authentication process. In prior art systems, the foreign network routes the inner user authentication information using the outer identity/roaming identity used by the mobile device to authenticate the foreign network, in some cases even before inner user information is known. For example, the foreign network may have a list associating outer identities to home servers (e.g. outer identity user@IPprovider is routed to home server IPprovider). This front end approach can be problematic because it may be desirable to route a user's inner user authentication information to a AAA server other than the general AAA server.
- outer identity user@IPprovideris routed to home server IPprovider
- the present inventionprovides systems and methods for a foreign network to route user authentication information to a particular home server using a tunneled Extensible Authentication Protocol (EAP).
- EAPtunneled Extensible Authentication Protocol
- the inventionincludes evaluating inner user information against a policy engine to determine which AAA server to route the request to for inner user authentication.
- the EAP policycan have multiple rules and actions to route the request.
- the evaluationcan be based on the conditions on inner user evaluation and or other AAA attributes received in the request.
- Using this backend policy approach to evaluate the inner user informationsimplifies upfront EAP based TLS policy evaluation. Further, because inner user information is not known until later in an EAP based TLS protocol exchange, the present invention allows for a highly flexible routing scheme to be employed to determine the appropriate AAA server.
- the TLS-AAAevaluates the embedded user name attribute (used in legacy authentication protocols such as PAP, CHAP, etc.) against a local policy to determine which AAA/H to route the embedded user name to.
- the embedded user name attributeused in legacy authentication protocols such as PAP, CHAP, etc.
- the TLS-AAAevaluates the inner EAP-Identity (for EAP authentication protocols) or inner user identity (for PAP, CHAP, MSCHAPv1/v2 authentication protocols) to determine which AAA/H to route the inner user identifier to by evaluating it against a local policy.
- the policy engineplaces one or more of the following conditions on the inner user identifier:
- the mobile nodeincludes, but is not limited to laptop computers, cellular phones, smart phones, and personal data assistants.
- the implementationis based on a generic network access via the RADIUS protocol.
- the network access typecan be of various types i.e. WiFi, WiMAX, wireline, etc. It can also be extended for applications requiring AAA authentications.
- a policy engineis placed at any server where authentication is tunneled for a mobile device such that a request can be directed or redirected to a particular AAA server based on a condition.
- FIG. 1provides a network diagram of a portion of a roaming environment.
- FIG. 2provides a prior art method for authenticating and authorizing a mobile device using tunneled EAP.
- FIG. 3provides a method for a TLS AAA server to evaluate a mobile device's access request in a communication network using EAP, according to an embodiment of the invention.
- FIG. 4is a diagram of a computer system on which the methods and systems herein described can be implemented, according to an embodiment of the invention.
- FIG. 1provides a network diagram of a portion of a roaming environment 100 .
- the diagramprovides a simplified network view that can be used to illustrate the authentication procedures needed when a mobile device roams from one network to another.
- mobile devices 110 a and 110 bseek network access to wireless LAN hot spot 140 .
- Access point 120 and visited Authentication, Authorization, Accounting (AAA) server 130 within wireless LAN hot spot 140support access and authentication of mobile users.
- Visited AAA server 130is coupled to home AAA servers 160 a, 160 b, and 160 c via network 150 .
- Home AAA servers 160 a, 160 b, and 160 care located within respective home network 170 a, 170 b, and 170 c.
- Home AAA serversare associated with particular mobile devices.
- a mobile device 110can be wirelessly coupled to access point 120 using EAP.
- EAPprovides an authentication framework that supports multiple authentication methods.
- EAPtypically runs directly over data link layers, such as point-to-point protocol (“PPP”) or IEEE 802.1X, without requiring internet protocol (“IP”).
- PPPpoint-to-point protocol
- IPinternet protocol
- EAPmay be used on dedicated lines, as well as switched circuits, and wired as well as wireless links.
- Deployments of IEEE 802.11 wireless LANsare based on EAP and use several EAP methods, including EAP-TLS (Transport Level Security), EAP-TTLS (Tunneled Transport Level Security), PEAP (Protected Extensible Authentication Protocol), and EAP-SIM (Subscriber Identify Module). These methods support authentication credentials that include digital certificates, user-names and passwords, secure tokens, and SIM secrets.
- the present inventioncan be implemented with each of these methods, but is not limited to these methods.
- the embodiments discussed hereinfocus on wireless links, however, the scope and spirit of the present invention extends to wired links,
- a mobile device 110is considered an EAP peer, while access point 120 is considered an EAP authenticator and a TLS AAA server 130 and a home AAA server 160 is considered an EAP authentication server.
- EAPis used to select a specific authentication mechanism, typically after the authenticator requests more information in order to determine the specific authentication method to be used. Rather than requiring the authenticator to be updated to support each new authentication method, EAP permits the use of a backend authentication server, which may implement some or all authentication methods, with the authenticator acting as a pass-through for some or all methods and peers.
- a mobile device 110attaches to access point 120 , it needs to authenticate with its home AAA server 160 before network access is granted.
- the authenticationis based on EAP and mobile device 110 , visited TLS AAA server 130 and home AAA server 160 take on EAP roles, as identified above.
- EAP messagesare transported between the mobile device 110 acting as an EAP Peer to the access point 120 , the EAP Authenticator, using any of many transport methods, such as 802.1x, PANA, and the like.
- the transport between access point 120 and a home AAA server 160is typically carried over AAA protocol using RADIUS or Diameter.
- the EAP messagestravel through a visited AAA server 130 , zero or more broker AAA server(s) (not shown) and finally arrive at the home AAA server 160 .
- broker AAA serversmay also be present between access point 120 and TLS AAA server 130 and simply operate in a pass through mode.
- FIG. 2illustrates a prior art method for authenticating and authorizing a mobile device 110 using tunneled EAP.
- Method 200begins in step 210 .
- step 210access point 120 receives an EAP-Start message. This message comes from the network 140 and signals that the EAP procedure should start.
- step 220access point 120 , which is located in the visited network 140 , issues an EAP-Request-Identity message. If access point 120 knows the visited network Authentication Policy, it will encode the policy as part of the EAP-Request-Identity message. The coding of the message will be similar to the encoding used in “RFC 4284: Identity Selection Hints for the Extensible Authentication Protocol (EAP),” by the IETF, the disclosure of which is hereby incorporated by reference and will be known to individuals skilled in the relevant arts based on the teachings herein and reference to RFC 4284.
- EAPExtensible Authentication Protocol
- the mobile device 110receives the EAP-Request-Identity.
- Mobile device 110decodes the message to learn the authentication policy of the visited network 140 .
- Mobile device 110uses that knowledge and the preconfigured knowledge of the authentication policy of its home network 170 to select the authentication policy required.
- Mobile device 110encodes the authentication policy in an EAP-Response-Identity message and sends the message to access point 120 .
- the EAP-Response-Identity messagecan include an outer/realm identity (“user@realm”). This identity is not specific to the user and is not transmitted within a secure tunnel.
- TLS AAA server 130decodes the EAP-Response Identity message.
- TLS AAA server 130responds to the message with an access challenge message.
- Access challengeincludes information that allows network 140 to be authenticated by mobile device 110 , i.e. a digital certificate that lets mobile device know that network 140 is legitimate.
- a tunnelis established so that user specific information (e.g. User-Name and password) can be securely transmitted between the TLS AAA server 130 and mobile device 110 .
- the tunnelis established between mobile device 110 , access point 120 , and TLS AAA server 130 .
- the inner User-Name/inner EAP-Identity and password informationis secure within this tunnel.
- TLS AAA server 130receives a message containing the user specific information.
- the information in the messageis particular to the authentication method that will be used to authenticate the user (e.g. PAP, CHAP, EAP, MSCHAPv1, MSCHAPv2).
- the authentication method to be usedis established in the steps before step 260 .
- the TLS AAA 130may decide to forward the request to Home AAA server 160 to complete phase 2 of the authentication. It should be noted that TLS AAA 130 and Home AAA 160 may be the same process/application.
- Home AAA server 160may act as the EAP Authentication Server, for example, then starts to execute an EAP method appropriate to the authentication method selected. The EAP method continues to execute until it succeeds or fails. In the case of PAP, CHAP, MSCHAPv1, and MSCHAPv2, Home AAA server 160 will authenticate the user based on the received protocol attribute information and will either accept or reject the session.
- Steps 280 and 290illustrate a successful authentication occurring that enables mobile device 110 to access network 140 . Specifically, in step 290 mobile device 110 receives an EAP-Success message. If successful authentication does not occur, ultimately the process will time out.
- FIG. 3provides a method 300 for a TLS AAA server to evaluate a mobile device's access request in a communication network using EAP, according to an embodiment of the invention.
- Method 300begins in step 310 .
- step 310access point 120 receives an EAP-Start message. This message comes from the network 140 and signals that the EAP procedure should start.
- step 320access point 120 , which is located in the visited network 140 , issues an EAP-Request-Identity message. If access point 120 knows the visited network Authentication Policy, it will encode the policy as part of the EAP-Request-Identity message.
- the mobile device 110receives the EAP-Request-Identity.
- Mobile device 110decodes the message to learn the authentication policy of the visited network 140 .
- Mobile device 110uses that knowledge and the preconfigured knowledge of the authentication policy of its home network 170 to select the authentication policy required.
- Mobile device 110encodes the authentication policy in an EAP-Response-Identity message and sends the message to access point 120 .
- the EAP-Response-Identity messagecan include an outer/realm identity (“user@realm”). This identity is not specific to the user and as such may not be secure.
- TLS server 130decodes the EAP-Response Identity message.
- TLS AAA server 130responds to the message with an access challenge message.
- Access challengeincludes information that allows network 140 to be authenticated by mobile device 110 , i.e. a digital certificate that lets mobile device know that network 140 is legitimate.
- a tunnelis established which allows user specific information (e.g. User-Name and password) to be securely transmitted between TLS server 130 and mobile device 110 .
- the tunnelis established between mobile device 110 , access point 120 , and TLS AAA server 130 .
- the inner User-Name/inner EAP-Identity and password informationis secure within this tunnel.
- TLS AAA server 130receives a message containing the user specific information.
- the information in the messageis particular to the authentication method that will be used to authenticate the user (e.g. PAP, CHAP, EAP, MSCHAPv1, MSCHAPv2).
- the authentication method to be usedis established in the steps before step 370 .
- the TLS AAA server 130will evaluate the embedded user specific information to determine which Home AAA server to route the user specific information to by evaluating it against a local policy. For example, the TLS AAA server 130 will evaluate the embedded User-Name attribute for legacy authentication protocols (PAP, CHAP, etc.) or the EAP-Identity for EAP authentication protocols.
- legacy authentication protocolsPAP, CHAP, etc.
- EAP-Identityfor EAP authentication protocols.
- the policy enginecan place one or more of the following conditions on an inner user identifier:
- An “equals” conditiontests if an inner user identifier is the same as a predetermined string.
- An example of the “equals” conditionis as follows: when the “equals” condition is “abc”, inner user identifier “abc” satisfies the condition and inner user identifier “abcd” does not.
- a “starts with” conditiontests if a character string at the beginning of the an inner user identifier is the same as a predetermined string.
- An example of the “starts with” conditionis as follows: when the “starts with” condition is “abc”, inner user identifier “abcd” satisfies the condition and inner user identifier “dabc” does not.
- An “ends with” conditiontests if a character string at the end of an inner user identifier is the same as a predetermined string.
- An example of the “ends with” conditionis as follows: when the “ends with” condition is “abc”, inner user identifier “deabc” satisfies the condition and inner user identifier “abcde” does not.
- a “contains” conditiontests if one or more characters are contained in an inner user identifier.
- An example of the “contains” conditionis as follows: when the “contains” condition is abc, inner user identifier “xyabce” satisfies the condition and inner user identifier “axybec” does not.
- a “regular expression”holds a regular expression that is used to match a pattern against an inner user identifier.
- An “appears” commandtests if an attribute appears in the an Access-Request message.
- step 390after inner user identifier is evaluated against a policy.
- the user informationis forwarded to the appropriate home server as determined by policy evaluation or the TLS AAA policy may determine that the user information is to be processed locally, in otherwords the TLS AAA may also be the home AAA.
- an example of steps 380 and 390is as follows:
- the UserID for mobile device user of mobile device 110 ais johnsmith@realm.com.
- AAA/H servers 160 a, 160 b, and 160 ceach store user authentication information based the user's last name contained in the UserName, where server 160 a stores user authentication information for users with last names A-J, server 160 b stores user authentication information for users with last names K-T, and server 160 c stores user authentication information for users with last names U-Z.
- Policy enginecan search the user name johnsmith for an last name using the commands described above and route the user authentication information to server 160 b, which would contain the user authentication information for user John Smith.
- Home AAA server 160acting as the EAP Authentication Server, for example, then starts to execute an EAP method appropriate to the authentication method selected. The EAP method continues to execute until it succeeds or fails. In the case of PAP, CHAP, MSCHAPv1, and MSCHAPv2, Home AAA server 160 will authenticate the user based on the received protocol attribute information and will either accept or reject the session.
- Steps 394 and 396illustrate a successful authentication occurring that enable mobile device 110 to access network 170 . Specifically, in step 396 mobile device 110 receives an EAP-Success message. If successful authentication does not occur, ultimately the process will time out.
- step 380can be incorporated into prior art method in a variety of ways.
- a policy enginecould be incorporated into a home AAA server that initially receives the inner user identifier based on outer/realm identifier as described in accordance with FIG. 2 . After the home AAA server evaluates the inner user identifier it could forward the inner user identifier to another preferred/more appropriate home AAA server based on the evaluation.
- the methods and systems of the present invention described hereinare implemented using well known computers, such as a computer 400 shown in FIG. 4 .
- the computer 400can be any commercially available and well known computer capable of performing the functions described herein, such as computers available from International Business Machines, Apple, Sun, HP, Dell, Cray, etc.
- Computer 400includes one or more processors (also called central processing units, or CPUs), such as processor 410 .
- processorsalso called central processing units, or CPUs
- Processor 410is connected to communication bus 420 .
- Computer 400also includes a main or primary memory 430 , preferably random access memory (RAM).
- Primary memory 430has stored therein control logic (computer software), and data.
- Computer 400may also include one or more secondary storage devices 440 .
- Secondary storage devices 440include, for example, hard disk drive 450 and/or removable storage device or drive 460 .
- Removable storage drive 460represents a floppy disk drive, a magnetic tape drive, a compact disk drive, an optical storage device, tape backup, ZIP drive, JAZZ drive, etc.
- Removable storage drive 460interacts with removable storage unit 470 .
- removable storage unit 460includes a computer usable or readable storage medium having stored therein computer software (control logic) and/or data.
- Removable storage drive 460reads from and/or writes to the removable storage unit 470 in a well known manner.
- Removable storage unit 470also called a program storage device or a computer program product, represents a floppy disk, magnetic tape, compact disk, optical storage disk, ZIP disk, JAZZ disk/tape, or any other computer data storage device.
- Program storage devices or computer program productsalso include any device in which computer programs can be stored, such as hard drives, ROM or memory cards, etc.
- the present inventionis directed to computer program products or program storage devices having software that enables computer 400 , or multiple computer 400 s to perform any combination of the functions described herein
- Computer programsare stored in main memory 430 and/or the secondary storage devices 440 . Such computer programs, when executed, direct computer 400 to perform the functions of the present invention as discussed herein. In particular, the computer programs, when executed, enable processor 410 to perform the functions of the present invention. Accordingly, such computer programs represent controllers of the computer 400 .
- Computer 400also includes input/output/display devices 480 , such as monitors, keyboards, pointing devices, etc.
- input/output/display devices 480such as monitors, keyboards, pointing devices, etc.
- Computer 400further includes a communication or network interface 490 .
- Network interface 490enables computer 400 to communicate with remote devices.
- network interface 490allows computer 400 to communicate over communication networks, such as LANs, WANs, the Internet, etc.
- Network interface 490may interface with remote sites or networks via wired or wireless connections.
- Computer 400receives data and/or computer programs via network interface 490 .
- the electrical/magnetic signals having contained therein data and/or computer programs received or transmitted by the computer 400 via interface 490also represent computer program product(s).
- the inventioncan work with software, hardware, and operating system implementations other than those described herein. Any software, hardware, and operating system implementations suitable for performing the functions described herein can be used.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
- 1. Field of the Invention
- The present invention relates to mobile communications, and more particularly, to authenticating and authorizing a mobile device using tunneled EAP.
- 2. Background of Invention
- An increasingly large number of individuals use portable computing devices, such as laptop computers, personal data assistants (PDAs), smart phones and the like, to support mobile communications. The number of computing devices, and the number of networks that these devices connect to, has increased dramatically in recent years.
- In a typical wireless Internet environment, Wi-Fi based hotspots could be adjacent or distributed in cellular telephone networks. When the services of wireless LAN and cellular networks are integrated, the mobile device (e.g., laptop computer) can move across networks. There are two types of roaming: roaming between the same type of network (e.g., wireless LAN to wireless LAN or cellular network to cellular network) is defined as horizontal roaming; roaming between different types of networks, such as a wireless LAN and a cellular network, is defined as vertical roaming.
- The service provider allowing access to its network usually requires a mobile node and/or a mobile user to authenticate that it is entitled to access the network before it is granted network access. Authentication is the process of identifying a device or user. For example, when logging on to a computer network, user authentication is commonly achieved using a username and password. Authentication is distinct from authorization, which is the process of giving devices or individuals access to services and features based on their identity. Authentication merely ensures that an individual is who he or she claims to be, but does not address the access rights of the individual.
- Accordingly, a wireless network generally includes many wireless nodes and users trying to gain access to a network. The primary means for controlling access include network access servers (“NAS”) and authentication servers, such as authentication, authorization, accounting (AAA) servers. A NAS, which is also referred to as an access point, provides access to the network. The devices and users connect through an access point via some form of wireless connection (e.g. IEEE 802.1X) to obtain access to a network (e.g., the Internet). In typical installations, there is a local authentication server, which allows the user to authenticate the network and a user's home authentication server that authenticates the user. The authentication servers are typically RADIUS (Remote Authentication Dial-In User Service) or Diameter servers.
- In this type of network access server environment, a version of the Extensible Authentication Protocol (EAP) is typically used for network authentication. For further information regarding EAP, see e.g., “RFC 3748: Extensible Authentication Protocol,” by the Internet Engineering Task Force (IETF), the disclosure of which is hereby incorporated by reference. EAP is a general protocol for authentication, which supports multiple authentication mechanisms. The client devices and the authentication server (e.g., RADIUS or DIAMTER server) exchange EAP messages by embedding them as attributes of a RADIUS packet. For further information regarding RADIUS, see, e.g., “RFC 2865: Remote Authentication Dial In User Service (RADIUS),” by the IETF, the disclosure of which is hereby incorporated by reference. See also, “RFC 4072: Diameter Extensible Authentication Protocol (EAP) Application, by the IETF, the disclosure of which is hereby incorporated by reference.
- Certain TLS (Transport Layer Security) based Extended Authentication Protocols optionally allow user authentication to occur within the protected tunnel. EAP-TTLS (Extended Authentication Protocol Tunneled Transport Layer Security) and PEAP (Protected Extended Authentication Protocol) are EAP protocols that are authentication tunneling protocols that create a protected channel for user authentication. These protocols use a two-phase authentication approach. In the first phase, the mobile device authenticates the foreign network, that is, the mobile device uses a digital certificate to ensure that the foreign network is legitimate. After the foreign network is authenticated, an encrypted channel between the mobile device and the mobile device's home AAA (i.e. AAA/H) is established using TLS and the information provided in the digital certificate. In the second phase, user information (e.g. Inner-User-ID) is securely transmitted using the established TLS-encrypted channel. The foreign network can authenticate the user from the user information using an inner user authentication method (e.g. PAP(Password Authentication Protocol), CHAP(Challenge-handshake authentication protocol), EAP, MSCHAPv1 (Microsoft Challenge handshake authentication protocol) and MSCHAPv2). The authentication can be carried out either by a TLS-AAA (the TLS end point of the foreign network) or by a remote AAA/H. For PEAP, this inner user authentication method typically must be another EAP authentication method. For further information about EAP-TTLS, see, Internet Draft EAP Tunneled TLS Authentication Protocol Version 0 (draft-funk-eap-ttls-v0), which is hereby incorporated by reference. For further information about PEAP, see Internet Draft PEAP (draft-josefsson-pppext-eap-tls-eap-06.txt), which is hereby incorporated by reference.
- In the two-phase authentication protocols, such as those described above, the foreign network must know how to route user information to the user's home server. In prior art systems, routing is typically achieved using static routes configured based on generic information transmitted between the mobile the device and foreign network during the first phase of the authentication process. In prior art systems, the foreign network routes the inner user authentication information using the outer identity/roaming identity used by the mobile device to authenticate the foreign network, in some cases even before inner user information is known. For example, the foreign network may have a list associating outer identities to home servers (e.g. outer identity user@IPprovider is routed to home server IPprovider). This front end approach can be problematic because it may be desirable to route a user's inner user authentication information to a AAA server other than the general AAA server.
- What is needed are methods for wireless Internet environments that provide increased flexibility for authenticating a user.
- The present invention provides systems and methods for a foreign network to route user authentication information to a particular home server using a tunneled Extensible Authentication Protocol (EAP).
- The invention includes evaluating inner user information against a policy engine to determine which AAA server to route the request to for inner user authentication. Instead of having a static route configured based on the outer identity/roaming identity, the EAP policy can have multiple rules and actions to route the request. The evaluation can be based on the conditions on inner user evaluation and or other AAA attributes received in the request. Using this backend policy approach to evaluate the inner user information simplifies upfront EAP based TLS policy evaluation. Further, because inner user information is not known until later in an EAP based TLS protocol exchange, the present invention allows for a highly flexible routing scheme to be employed to determine the appropriate AAA server.
- In an embodiment, the TLS-AAA evaluates the embedded user name attribute (used in legacy authentication protocols such as PAP, CHAP, etc.) against a local policy to determine which AAA/H to route the embedded user name to.
- In an embodiment, the TLS-AAA evaluates the inner EAP-Identity (for EAP authentication protocols) or inner user identity (for PAP, CHAP, MSCHAPv1/v2 authentication protocols) to determine which AAA/H to route the inner user identifier to by evaluating it against a local policy.
- In an embodiment, the policy engine places one or more of the following conditions on the inner user identifier:
- Equals
- StartsWith
- EndsWith
- Contains
- Regular expression, and
- Appears.
- In an embodiment, the mobile node includes, but is not limited to laptop computers, cellular phones, smart phones, and personal data assistants.
- In an embodiment, the implementation is based on a generic network access via the RADIUS protocol. The network access type can be of various types i.e. WiFi, WiMAX, wireline, etc. It can also be extended for applications requiring AAA authentications.
- In an embodiment, a policy engine is placed at any server where authentication is tunneled for a mobile device such that a request can be directed or redirected to a particular AAA server based on a condition.
- Further embodiments, features, and advantages of the invention, as well as the structure and operation of the various embodiments of the invention are described in detail below with reference to accompanying drawings.
- The present invention is described with reference to the accompanying drawings. In the drawings, like reference numbers indicate identical or functionally similar elements. The drawing in which an element first appears is indicated by the left-most digit in the corresponding reference number.
FIG. 1 provides a network diagram of a portion of a roaming environment.FIG. 2 provides a prior art method for authenticating and authorizing a mobile device using tunneled EAP.FIG. 3 provides a method for a TLS AAA server to evaluate a mobile device's access request in a communication network using EAP, according to an embodiment of the invention.FIG. 4 is a diagram of a computer system on which the methods and systems herein described can be implemented, according to an embodiment of the invention.- While the present invention is described herein with reference to illustrative embodiments for particular applications, it should be understood that the invention is not limited thereto. Those skilled in the art with access to the teachings provided herein will recognize additional modifications, applications, and embodiments within the scope thereof and additional fields in which the invention would be of significant utility.
FIG. 1 provides a network diagram of a portion of aroaming environment 100. The diagram provides a simplified network view that can be used to illustrate the authentication procedures needed when a mobile device roams from one network to another. In the example ofFIG. 1 ,mobile devices hot spot 140.Access point 120 and visited Authentication, Authorization, Accounting (AAA)server 130 within wireless LANhot spot 140 support access and authentication of mobile users. VisitedAAA server 130 is coupled tohome AAA servers network 150.Home AAA servers respective home network network 140 there are several potential home AAA servers that the mobile device's request may be potentially routed to. For the purposes of authentication, amobile device 110 can be wirelessly coupled toaccess point 120 using EAP.- EAP provides an authentication framework that supports multiple authentication methods. EAP typically runs directly over data link layers, such as point-to-point protocol (“PPP”) or IEEE 802.1X, without requiring internet protocol (“IP”). EAP may be used on dedicated lines, as well as switched circuits, and wired as well as wireless links. Deployments of IEEE 802.11 wireless LANs are based on EAP and use several EAP methods, including EAP-TLS (Transport Level Security), EAP-TTLS (Tunneled Transport Level Security), PEAP (Protected Extensible Authentication Protocol), and EAP-SIM (Subscriber Identify Module). These methods support authentication credentials that include digital certificates, user-names and passwords, secure tokens, and SIM secrets. The present invention can be implemented with each of these methods, but is not limited to these methods. Furthermore, the embodiments discussed herein focus on wireless links, however, the scope and spirit of the present invention extends to wired links, as well.
- Using EAP nomenclature, a
mobile device 110 is considered an EAP peer, whileaccess point 120 is considered an EAP authenticator and aTLS AAA server 130 and ahome AAA server 160 is considered an EAP authentication server. - One of the advantages of the EAP architecture is its flexibility. EAP is used to select a specific authentication mechanism, typically after the authenticator requests more information in order to determine the specific authentication method to be used. Rather than requiring the authenticator to be updated to support each new authentication method, EAP permits the use of a backend authentication server, which may implement some or all authentication methods, with the authenticator acting as a pass-through for some or all methods and peers.
- Referring to
FIG. 1 , when amobile device 110 attaches to accesspoint 120, it needs to authenticate with itshome AAA server 160 before network access is granted. The authentication is based on EAP andmobile device 110, visitedTLS AAA server 130 andhome AAA server 160 take on EAP roles, as identified above. EAP messages are transported between themobile device 110 acting as an EAP Peer to theaccess point 120, the EAP Authenticator, using any of many transport methods, such as 802.1x, PANA, and the like. The transport betweenaccess point 120 and ahome AAA server 160 is typically carried over AAA protocol using RADIUS or Diameter. The EAP messages travel through a visitedAAA server 130, zero or more broker AAA server(s) (not shown) and finally arrive at thehome AAA server 160. It should be noted that broker AAA servers may also be present betweenaccess point 120 andTLS AAA server 130 and simply operate in a pass through mode. FIG. 2 illustrates a prior art method for authenticating and authorizing amobile device 110 using tunneled EAP.Method 200 begins instep 210.- In
step 210,access point 120 receives an EAP-Start message. This message comes from thenetwork 140 and signals that the EAP procedure should start. - In
step 220access point 120, which is located in the visitednetwork 140, issues an EAP-Request-Identity message. Ifaccess point 120 knows the visited network Authentication Policy, it will encode the policy as part of the EAP-Request-Identity message. The coding of the message will be similar to the encoding used in “RFC 4284: Identity Selection Hints for the Extensible Authentication Protocol (EAP),” by the IETF, the disclosure of which is hereby incorporated by reference and will be known to individuals skilled in the relevant arts based on the teachings herein and reference to RFC 4284. - In
step 230, themobile device 110 receives the EAP-Request-Identity.Mobile device 110 decodes the message to learn the authentication policy of the visitednetwork 140.Mobile device 110 uses that knowledge and the preconfigured knowledge of the authentication policy of its home network170 to select the authentication policy required.Mobile device 110 encodes the authentication policy in an EAP-Response-Identity message and sends the message to accesspoint 120. As shown inFIG. 2 , the EAP-Response-Identity message can include an outer/realm identity (“user@realm”). This identity is not specific to the user and is not transmitted within a secure tunnel. - In
step 240,TLS AAA server 130 decodes the EAP-Response Identity message. - In
step 245,TLS AAA server 130 responds to the message with an access challenge message. Access challenge includes information that allowsnetwork 140 to be authenticated bymobile device 110, i.e. a digital certificate that lets mobile device know thatnetwork 140 is legitimate. - In
step 250, a tunnel is established so that user specific information (e.g. User-Name and password) can be securely transmitted between theTLS AAA server 130 andmobile device 110. The tunnel is established betweenmobile device 110,access point 120, andTLS AAA server 130. The inner User-Name/inner EAP-Identity and password information is secure within this tunnel. - In
step 260,TLS AAA server 130 receives a message containing the user specific information. The information in the message is particular to the authentication method that will be used to authenticate the user (e.g. PAP, CHAP, EAP, MSCHAPv1, MSCHAPv2). The authentication method to be used is established in the steps beforestep 260. TheTLS AAA 130 may decide to forward the request toHome AAA server 160 to complete phase2 of the authentication. It should be noted thatTLS AAA 130 andHome AAA 160 may be the same process/application. - At
step 270,Home AAA server 160, may act as the EAP Authentication Server, for example, then starts to execute an EAP method appropriate to the authentication method selected. The EAP method continues to execute until it succeeds or fails. In the case of PAP, CHAP, MSCHAPv1, and MSCHAPv2,Home AAA server 160 will authenticate the user based on the received protocol attribute information and will either accept or reject the session.Steps mobile device 110 to accessnetwork 140. Specifically, instep 290mobile device 110 receives an EAP-Success message. If successful authentication does not occur, ultimately the process will time out. FIG. 3 provides amethod 300 for a TLS AAA server to evaluate a mobile device's access request in a communication network using EAP, according to an embodiment of the invention.Method 300 begins instep 310.- In
step 310,access point 120 receives an EAP-Start message. This message comes from thenetwork 140 and signals that the EAP procedure should start. - In
step 320,access point 120, which is located in the visitednetwork 140, issues an EAP-Request-Identity message. Ifaccess point 120 knows the visited network Authentication Policy, it will encode the policy as part of the EAP-Request-Identity message. - In
step 330, themobile device 110 receives the EAP-Request-Identity.Mobile device 110 decodes the message to learn the authentication policy of the visitednetwork 140.Mobile device 110 uses that knowledge and the preconfigured knowledge of the authentication policy of its home network170 to select the authentication policy required.Mobile device 110 encodes the authentication policy in an EAP-Response-Identity message and sends the message to accesspoint 120. As shown inFIG. 3 , the EAP-Response-Identity message can include an outer/realm identity (“user@realm”). This identity is not specific to the user and as such may not be secure. - In
step 340,TLS server 130 decodes the EAP-Response Identity message. - In
step 350,TLS AAA server 130 responds to the message with an access challenge message. Access challenge includes information that allowsnetwork 140 to be authenticated bymobile device 110, i.e. a digital certificate that lets mobile device know thatnetwork 140 is legitimate. - In
step 360, a tunnel is established which allows user specific information (e.g. User-Name and password) to be securely transmitted betweenTLS server 130 andmobile device 110. The tunnel is established betweenmobile device 110,access point 120, andTLS AAA server 130. The inner User-Name/inner EAP-Identity and password information is secure within this tunnel. - In
step 370,TLS AAA server 130 receives a message containing the user specific information. The information in the message is particular to the authentication method that will be used to authenticate the user (e.g. PAP, CHAP, EAP, MSCHAPv1, MSCHAPv2). The authentication method to be used is established in the steps beforestep 370. - In
step 380, theTLS AAA server 130 will evaluate the embedded user specific information to determine which Home AAA server to route the user specific information to by evaluating it against a local policy. For example, theTLS AAA server 130 will evaluate the embedded User-Name attribute for legacy authentication protocols (PAP, CHAP, etc.) or the EAP-Identity for EAP authentication protocols. - The policy engine can place one or more of the following conditions on an inner user identifier:
- Equals
- Starts with
- Ends with
- Contains
- Regular expression; and
- Appears
- An “equals” condition tests if an inner user identifier is the same as a predetermined string. An example of the “equals” condition is as follows: when the “equals” condition is “abc”, inner user identifier “abc” satisfies the condition and inner user identifier “abcd” does not.
- A “starts with” condition tests if a character string at the beginning of the an inner user identifier is the same as a predetermined string. An example of the “starts with” condition is as follows: when the “starts with” condition is “abc”, inner user identifier “abcd” satisfies the condition and inner user identifier “dabc” does not.
- An “ends with” condition tests if a character string at the end of an inner user identifier is the same as a predetermined string. An example of the “ends with” condition is as follows: when the “ends with” condition is “abc”, inner user identifier “deabc” satisfies the condition and inner user identifier “abcde” does not.
- A “contains” condition tests if one or more characters are contained in an inner user identifier. An example of the “contains” condition is as follows: when the “contains” condition is abc, inner user identifier “xyabce” satisfies the condition and inner user identifier “axybec” does not.
- A “regular expression” holds a regular expression that is used to match a pattern against an inner user identifier.
- An “appears” command tests if an attribute appears in the an Access-Request message.
- It should be noted that the commands described above are for exemplary purposes only and that the policy engine can implement any number of different types of tests on information received from
mobile device 110 as would be appreciated by one of ordinary skill in the art. - In
step 390, after inner user identifier is evaluated against a policy. The user information is forwarded to the appropriate home server as determined by policy evaluation or the TLS AAA policy may determine that the user information is to be processed locally, in otherwords the TLS AAA may also be the home AAA. - Referring to
FIG. 1 , an example ofsteps mobile device 110ais johnsmith@realm.com. Suppose AAA/H servers server 160astores user authentication information for users with last names A-J,server 160bstores user authentication information for users with last names K-T, andserver 160cstores user authentication information for users with last names U-Z. Policy engine can search the user name johnsmith for an last name using the commands described above and route the user authentication information toserver 160b,which would contain the user authentication information for user John Smith. - At
step 392,Home AAA server 160, acting as the EAP Authentication Server, for example, then starts to execute an EAP method appropriate to the authentication method selected. The EAP method continues to execute until it succeeds or fails. In the case of PAP, CHAP, MSCHAPv1, and MSCHAPv2,Home AAA server 160 will authenticate the user based on the received protocol attribute information and will either accept or reject the session.Steps mobile device 110 to access network170. Specifically, instep 396mobile device 110 receives an EAP-Success message. If successful authentication does not occur, ultimately the process will time out. - It should be appreciated that
step 380 can be incorporated into prior art method in a variety of ways. For example, a policy engine could be incorporated into a home AAA server that initially receives the inner user identifier based on outer/realm identifier as described in accordance withFIG. 2 . After the home AAA server evaluates the inner user identifier it could forward the inner user identifier to another preferred/more appropriate home AAA server based on the evaluation. - In an embodiment of the present invention, the methods and systems of the present invention described herein are implemented using well known computers, such as a
computer 400 shown inFIG. 4 . Thecomputer 400 can be any commercially available and well known computer capable of performing the functions described herein, such as computers available from International Business Machines, Apple, Sun, HP, Dell, Cray, etc. Computer 400 includes one or more processors (also called central processing units, or CPUs), such asprocessor 410.Processor 410 is connected tocommunication bus 420.Computer 400 also includes a main orprimary memory 430, preferably random access memory (RAM).Primary memory 430 has stored therein control logic (computer software), and data.Computer 400 may also include one or moresecondary storage devices 440.Secondary storage devices 440 include, for example,hard disk drive 450 and/or removable storage device or drive460.Removable storage drive 460 represents a floppy disk drive, a magnetic tape drive, a compact disk drive, an optical storage device, tape backup, ZIP drive, JAZZ drive, etc.Removable storage drive 460 interacts withremovable storage unit 470. As will be appreciated,removable storage unit 460 includes a computer usable or readable storage medium having stored therein computer software (control logic) and/or data.Removable storage drive 460 reads from and/or writes to theremovable storage unit 470 in a well known manner.Removable storage unit 470, also called a program storage device or a computer program product, represents a floppy disk, magnetic tape, compact disk, optical storage disk, ZIP disk, JAZZ disk/tape, or any other computer data storage device. Program storage devices or computer program products also include any device in which computer programs can be stored, such as hard drives, ROM or memory cards, etc.- In an embodiment, the present invention is directed to computer program products or program storage devices having software that enables
computer 400, or multiple computer400s to perform any combination of the functions described herein - Computer programs (also called computer control logic) are stored in
main memory 430 and/or thesecondary storage devices 440. Such computer programs, when executed,direct computer 400 to perform the functions of the present invention as discussed herein. In particular, the computer programs, when executed, enableprocessor 410 to perform the functions of the present invention. Accordingly, such computer programs represent controllers of thecomputer 400. Computer 400 also includes input/output/display devices 480, such as monitors, keyboards, pointing devices, etc.Computer 400 further includes a communication ornetwork interface 490.Network interface 490 enablescomputer 400 to communicate with remote devices. For example,network interface 490 allowscomputer 400 to communicate over communication networks, such as LANs, WANs, the Internet, etc.Network interface 490 may interface with remote sites or networks via wired or wireless connections.Computer 400 receives data and/or computer programs vianetwork interface 490. The electrical/magnetic signals having contained therein data and/or computer programs received or transmitted by thecomputer 400 viainterface 490 also represent computer program product(s).- The invention can work with software, hardware, and operating system implementations other than those described herein. Any software, hardware, and operating system implementations suitable for performing the functions described herein can be used.
- Exemplary embodiments of the present invention have been presented. The invention is not limited to these examples. These examples are presented herein for purposes of illustration, and not limitation. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the invention.
Claims (14)
1. In a communications network using an Extensible Authentication Protocol (EAP), a method for a routing a client access request to a home Authentication, Authorization, and Accounting (AAA) server for inner user authentication, comprising:
(a) establishing a transport layer security (TLS) tunnel between a visited AAA server in a foreign network and the client;
(b) receiving an access request from the client at the visited AAA server within the TLS tunnel;
(c) evaluating attributes received in the access request at the TLS AAA server against a local policy; and
(d) routing said access request to a home authentication server based at least in part on the evaluation of attributes received in said access request against said local policy.
2. The method ofclaim 1 , wherein attributes received in said access request include an inner user identifier and wherein evaluating attributes received in said access request includes evaluating the inner user identifier against said local policy.
3. The method ofclaim 1 , wherein a client comprises a cellular telephone, a smart phone, a laptop computer, or a personal data assistant.
4. The method ofclaim 2 , wherein evaluating the inner user identifier against said local policy comprises performing at least one of the following determinations on the inner user identifier:
(a) determining if the inner user identifier equals a known character string;
(b) determining if a prefix portion of the inner user identifier equals a known character string;
(c) determining if a suffix portion of the inner user identifier equals a known character string; and
(d) determining if the inner user identifier contains a characters in a defined set of characters.
5. The method ofclaim 1 , wherein establishing a transport layer security (TLS) tunnel between a visited AAA server in a foreign network and the client includes establishing the TLS tunnel according to one of EAP-TTLS or PEAP protocols.
6. The method ofclaim 1 , wherein evaluating attributes received in the access request at the TLS AAA server against a local policy includes evaluating a EAP-Identity in the access request.
7. The method ofclaim 6 , wherein evaluating a EAP-Identity includes performing at least one of the following determinations on the inner user identifier:
(a) determining if the EAP-Identity equals a known character string;
(b) determining if a prefix portion of the EAP-Identity equals a known character string;
(c) determining if a suffix portion of the EAP-Identity equals a known character string; and
(d) determining if the EAP-Identity contains a characters in a defined set of characters.
8. The method ofclaim 1 , wherein evaluating attributes received in the access request at the TLS AAA server against a local policy includes evaluating a User-Name attributes in the access request, wherein User-Name attribute is defined by any one of PAP, CHAP, MSCHAPv1, or MSCHAPv2 protocols.
9. The method ofclaim 8 , wherein evaluating a User-Name includes performing at least one of the following determinations on the inner user identifier:
(a) determining if the User-Name equals a known character string;
(b) determining if a prefix portion of the User-Name equals a known character string;
(c) determining if a suffix portion of the User-Name equals a known character string; and
(d) determining if the User-Name contains a characters in a defined set of characters.
10. In a communications network using an authentication protocol, a method for a routing a client access request to a home authentication server for inner user authentication, comprising:
(a) establishing a secure communication tunnel between a visited server and the client;
(b) receiving an access request from the client at the visited server within said secure communication tunnel;
(c) evaluating attributes received in said access request at said visited server against a local policy; and
(d) routing said access request to a home authentication server based at least in part on the evaluation of attributes received in said access request against said local policy.
11. The method ofclaim 10 , wherein attributes received in said access request include an inner user identifier and wherein evaluating attributes received in said access request includes evaluating the inner user identifier against said local policy.
12. The method ofclaim 10 , wherein evaluating the inner user identifier against said local policy comprises performing at least one of the following determinations on the inner user identifier:
(a) determining if the inner user identifier equals a known character string;
(b) determining if a prefix portion of the inner user identifier equals a known character string;
(c) determining if a suffix portion of the inner user identifier equals a known character string; and
(d) determining if the inner user identifier contains a characters in a defined set of characters.
13. The method ofclaim 8 , wherein a client comprises a cellular telephone, a smart phone, a laptop computer, or a personal data assistant.
14. In a communications network using an authentication protocol, a method for a routing a client access request to a home authentication server for inner user authentication, comprising:
(a) establishing a secure communication tunnel between a visited server and the client using a roaming identifier for the client;
(b) receiving an access request from the client at the visited server within said secure communication tunnel;
(c) routing the access request to a first home authentication server based on said roaming identifier;
(d) receiving the access request said first home authentication server;
(c) evaluating attributes received in said access request, including an inner user identifier, at said first home authentication server against a local policy; and
(d) routing said access request to a second home authentication server based at least in part on the evaluation of attributes received in said access request against said local policy.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US11/979,353US8341702B2 (en) | 2007-11-01 | 2007-11-01 | Methods for authenticating and authorizing a mobile device using tunneled extensible authentication protocol |
| US13/672,646US8776181B1 (en) | 2007-11-01 | 2012-11-08 | Methods for authenticating and authorizing a mobile device using tunneled extensible authentication protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US11/979,353US8341702B2 (en) | 2007-11-01 | 2007-11-01 | Methods for authenticating and authorizing a mobile device using tunneled extensible authentication protocol |
Related Child Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US13/672,646ContinuationUS8776181B1 (en) | 2007-11-01 | 2012-11-08 | Methods for authenticating and authorizing a mobile device using tunneled extensible authentication protocol |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| US20090119742A1true US20090119742A1 (en) | 2009-05-07 |
| US8341702B2 US8341702B2 (en) | 2012-12-25 |
Family
ID=40589498
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US11/979,353Expired - Fee RelatedUS8341702B2 (en) | 2007-11-01 | 2007-11-01 | Methods for authenticating and authorizing a mobile device using tunneled extensible authentication protocol |
| US13/672,646ActiveUS8776181B1 (en) | 2007-11-01 | 2012-11-08 | Methods for authenticating and authorizing a mobile device using tunneled extensible authentication protocol |
Family Applications After (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US13/672,646ActiveUS8776181B1 (en) | 2007-11-01 | 2012-11-08 | Methods for authenticating and authorizing a mobile device using tunneled extensible authentication protocol |
Country Status (1)
| Country | Link |
|---|---|
| US (2) | US8341702B2 (en) |
Cited By (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030105952A1 (en)* | 2001-12-05 | 2003-06-05 | International Business Machines Corporation | Offload processing for security session establishment and control |
| US20030105977A1 (en)* | 2001-12-05 | 2003-06-05 | International Business Machines Corporation | Offload processing for secure data transfer |
| US20090193251A1 (en)* | 2008-01-29 | 2009-07-30 | International Business Machines Corporation | Secure request handling using a kernel level cache |
| US20110045800A1 (en)* | 2009-08-20 | 2011-02-24 | Canon Kabushiki Kaisha | Communication system, control method therefor, base station, and computer-readable storage medium |
| US20110093938A1 (en)* | 2008-05-19 | 2011-04-21 | Nokia Corporatiion | Methods, apparatuses, and computer program products for bootstrapping device and user authentication |
| US20120204027A1 (en)* | 2011-02-09 | 2012-08-09 | Samsung Electronics Co. Ltd. | Authentication method and apparatus in a communication system |
| US8447273B1 (en) | 2012-01-09 | 2013-05-21 | International Business Machines Corporation | Hand-held user-aware security device |
| US8929859B2 (en) | 2011-04-26 | 2015-01-06 | Openet Telecom Ltd. | Systems for enabling subscriber monitoring of telecommunications network usage and service plans |
| US20150139210A1 (en)* | 2012-06-29 | 2015-05-21 | Nokia Corporation | Method and apparatus for access parameter sharing |
| US9130760B2 (en) | 2011-04-26 | 2015-09-08 | Openet Telecom Ltd | Systems, devices and methods of establishing a closed feedback control loop across multiple domains |
| US9173081B2 (en) | 2012-01-27 | 2015-10-27 | Openet Telecom Ltd. | System and method for enabling interactions between a policy decision point and a charging system |
| US9300531B2 (en) | 2011-12-12 | 2016-03-29 | Openet Telecom Ltd. | Systems, devices, and methods of orchestration and application of business rules for real-time control of subscribers in a telecommunications operator's network |
| US9444692B2 (en) | 2011-04-26 | 2016-09-13 | Openet Telecom Ltd. | Systems, devices and methods of crowd-sourcing across multiple domains |
| US9450766B2 (en) | 2011-04-26 | 2016-09-20 | Openet Telecom Ltd. | Systems, devices and methods of distributing telecommunications functionality across multiple heterogeneous domains |
| CN105959953A (en)* | 2015-09-14 | 2016-09-21 | 杭州迪普科技有限公司 | Safety business processing method and device |
| US20160337403A1 (en)* | 2015-05-11 | 2016-11-17 | Genesys Telecommunications Laboratories, Inc. | System and method for identity authentication |
| US9565063B2 (en) | 2011-04-26 | 2017-02-07 | Openet Telecom Ltd. | Systems, devices and methods of synchronizing information across multiple heterogeneous networks |
| US9565074B2 (en) | 2011-04-26 | 2017-02-07 | Openet Telecom Ltd. | Systems, devices, and methods of orchestrating resources and services across multiple heterogeneous domains |
| US9641403B2 (en) | 2011-04-26 | 2017-05-02 | Openet Telecom Ltd. | Systems, devices and methods of decomposing service requests into domain-specific service requests |
| US9781134B2 (en) | 2012-07-24 | 2017-10-03 | Alibaba Group Holding Limited | Method and apparatus of identifying user risk |
| US20190149521A1 (en)* | 2017-11-16 | 2019-05-16 | Nokia Technologies Oy | Privacy managing entity selection in communication system |
| US20190230510A1 (en)* | 2017-01-27 | 2019-07-25 | Telefonaktiebolaget Lm Ericsson (Publ) | Secondary Authentication of a User Equipment |
| US20220046024A1 (en)* | 2019-01-18 | 2022-02-10 | Vmware, Inc. | Tls policy enforcement at a tunnel gateway |
| US11388145B2 (en)* | 2016-09-12 | 2022-07-12 | Telefonaktiebolaget Lm Ericsson (Publ) | Tunneling data traffic and signaling over secure etls over wireless local area networks |
| CN115151904A (en)* | 2020-03-04 | 2022-10-04 | Ntt通信公司 | Authentication system, communication equipment, information equipment, and authentication method |
Citations (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6374298B2 (en)* | 1995-05-19 | 2002-04-16 | Fujitsu Limited | System for performing remote operation between firewall-equipped networks or devices |
| US20020099671A1 (en)* | 2000-07-10 | 2002-07-25 | Mastin Crosbie Tanya M. | Query string processing |
| US20030226017A1 (en)* | 2002-05-30 | 2003-12-04 | Microsoft Corporation | TLS tunneling |
| US20040030765A1 (en)* | 2002-08-12 | 2004-02-12 | Zilbershtein Itai Ephraim | Local network natification |
| US20040098588A1 (en)* | 2002-11-19 | 2004-05-20 | Toshiba America Research, Inc. | Interlayer fast authentication or re-authentication for network communication |
| US20040107360A1 (en)* | 2002-12-02 | 2004-06-03 | Zone Labs, Inc. | System and Methodology for Policy Enforcement |
| US20050044365A1 (en)* | 2003-08-22 | 2005-02-24 | Nokia Corporation | Method of protecting digest authentication and key agreement (AKA) against man-in-the-middle (MITM) attack |
| US20050102529A1 (en)* | 2002-10-21 | 2005-05-12 | Buddhikot Milind M. | Mobility access gateway |
| US20050198173A1 (en)* | 2004-01-02 | 2005-09-08 | Evans Alexander W. | System and method for controlling receipt of electronic messages |
| US20050273850A1 (en)* | 2004-06-07 | 2005-12-08 | Check Point Software Technologies, Inc. | Security System with Methodology Providing Verified Secured Individual End Points |
| US20060005254A1 (en)* | 2004-06-09 | 2006-01-05 | Ross Alan D | Integration of policy compliance enforcement and device authentication |
| US20060026671A1 (en)* | 2004-08-02 | 2006-02-02 | Darran Potter | Method and apparatus for determining authentication capabilities |
| US7082535B1 (en)* | 2002-04-17 | 2006-07-25 | Cisco Technology, Inc. | System and method of controlling access by a wireless client to a network that utilizes a challenge/handshake authentication protocol |
| US20060185013A1 (en)* | 2003-06-18 | 2006-08-17 | Telefonaktiebolaget Lm Ericsson (Publ) | Method, system and apparatus to support hierarchical mobile ip services |
| US20060236383A1 (en)* | 2005-04-04 | 2006-10-19 | Cisco Technology, Inc. | System and method for multi-session establishment involving disjoint authentication and authorization servers |
| US20060256763A1 (en)* | 2005-05-10 | 2006-11-16 | Colubris Networks, Inc. | Fast roaming in a wireless network using per-STA pairwise master keys shared across participating access points |
| US7146645B1 (en)* | 1999-12-30 | 2006-12-05 | Nokia Mobile Phones Ltd. | Dedicated applications for user stations and methods for downloading dedicated applications to user stations |
| US20070101132A1 (en)* | 2003-06-18 | 2007-05-03 | Siemens Aktiengesellschaft | Method and device for forming an encrypted message together with method and device for encrypting an encrypted message |
| US20070230453A1 (en)* | 2004-02-06 | 2007-10-04 | Telecom Italia S.P.A. | Method and System for the Secure and Transparent Provision of Mobile Ip Services in an Aaa Environment |
| US20080040606A1 (en)* | 2006-04-11 | 2008-02-14 | Qualcomm Incorporated | Method and apparatus for binding multiple authentications |
| US7450554B2 (en)* | 2003-12-08 | 2008-11-11 | Huawei Technologies Co., Ltd. | Method for establishment of a service tunnel in a WLAN |
| US20080282325A1 (en)* | 2004-04-23 | 2008-11-13 | Johnson Oyama | Aaa Support for Dhcp |
| US20080307488A1 (en)* | 2002-10-16 | 2008-12-11 | Innerwall, Inc. | Systems And Methods For Enterprise Security With Collaborative Peer To Peer Architecture |
| US20090037732A1 (en)* | 2007-07-23 | 2009-02-05 | Intertrust Technologies Corporation | Tethered device systems and methods |
| US7707412B2 (en)* | 2002-09-18 | 2010-04-27 | Nokia Corporation | Linked authentication protocols |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7954144B1 (en)* | 2000-01-18 | 2011-05-31 | Novell, Inc. | Brokering state information and identity among user agents, origin servers, and proxies |
| US8141164B2 (en)* | 2006-08-21 | 2012-03-20 | Citrix Systems, Inc. | Systems and methods for dynamic decentralized load balancing across multiple sites |
| US8312308B2 (en)* | 2009-06-22 | 2012-11-13 | Citrix Systems, Inc. | Systems and methods for SSL session cloning—transfer and regeneration of SSL security parameters across cores, homogenous system or heterogeneous systems |
- 2007
- 2007-11-01USUS11/979,353patent/US8341702B2/ennot_activeExpired - Fee Related
- 2012
- 2012-11-08USUS13/672,646patent/US8776181B1/enactiveActive
Patent Citations (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6374298B2 (en)* | 1995-05-19 | 2002-04-16 | Fujitsu Limited | System for performing remote operation between firewall-equipped networks or devices |
| US7146645B1 (en)* | 1999-12-30 | 2006-12-05 | Nokia Mobile Phones Ltd. | Dedicated applications for user stations and methods for downloading dedicated applications to user stations |
| US20020099671A1 (en)* | 2000-07-10 | 2002-07-25 | Mastin Crosbie Tanya M. | Query string processing |
| US7082535B1 (en)* | 2002-04-17 | 2006-07-25 | Cisco Technology, Inc. | System and method of controlling access by a wireless client to a network that utilizes a challenge/handshake authentication protocol |
| US20030226017A1 (en)* | 2002-05-30 | 2003-12-04 | Microsoft Corporation | TLS tunneling |
| US20040030765A1 (en)* | 2002-08-12 | 2004-02-12 | Zilbershtein Itai Ephraim | Local network natification |
| US7707412B2 (en)* | 2002-09-18 | 2010-04-27 | Nokia Corporation | Linked authentication protocols |
| US20080307488A1 (en)* | 2002-10-16 | 2008-12-11 | Innerwall, Inc. | Systems And Methods For Enterprise Security With Collaborative Peer To Peer Architecture |
| US20050102529A1 (en)* | 2002-10-21 | 2005-05-12 | Buddhikot Milind M. | Mobility access gateway |
| US20040098588A1 (en)* | 2002-11-19 | 2004-05-20 | Toshiba America Research, Inc. | Interlayer fast authentication or re-authentication for network communication |
| US20040107360A1 (en)* | 2002-12-02 | 2004-06-03 | Zone Labs, Inc. | System and Methodology for Policy Enforcement |
| US20070101132A1 (en)* | 2003-06-18 | 2007-05-03 | Siemens Aktiengesellschaft | Method and device for forming an encrypted message together with method and device for encrypting an encrypted message |
| US20060185013A1 (en)* | 2003-06-18 | 2006-08-17 | Telefonaktiebolaget Lm Ericsson (Publ) | Method, system and apparatus to support hierarchical mobile ip services |
| US20050044365A1 (en)* | 2003-08-22 | 2005-02-24 | Nokia Corporation | Method of protecting digest authentication and key agreement (AKA) against man-in-the-middle (MITM) attack |
| US7450554B2 (en)* | 2003-12-08 | 2008-11-11 | Huawei Technologies Co., Ltd. | Method for establishment of a service tunnel in a WLAN |
| US20050198173A1 (en)* | 2004-01-02 | 2005-09-08 | Evans Alexander W. | System and method for controlling receipt of electronic messages |
| US20070230453A1 (en)* | 2004-02-06 | 2007-10-04 | Telecom Italia S.P.A. | Method and System for the Secure and Transparent Provision of Mobile Ip Services in an Aaa Environment |
| US20080282325A1 (en)* | 2004-04-23 | 2008-11-13 | Johnson Oyama | Aaa Support for Dhcp |
| US20050273850A1 (en)* | 2004-06-07 | 2005-12-08 | Check Point Software Technologies, Inc. | Security System with Methodology Providing Verified Secured Individual End Points |
| US20060005254A1 (en)* | 2004-06-09 | 2006-01-05 | Ross Alan D | Integration of policy compliance enforcement and device authentication |
| US20060026671A1 (en)* | 2004-08-02 | 2006-02-02 | Darran Potter | Method and apparatus for determining authentication capabilities |
| US20060236383A1 (en)* | 2005-04-04 | 2006-10-19 | Cisco Technology, Inc. | System and method for multi-session establishment involving disjoint authentication and authorization servers |
| US20060256763A1 (en)* | 2005-05-10 | 2006-11-16 | Colubris Networks, Inc. | Fast roaming in a wireless network using per-STA pairwise master keys shared across participating access points |
| US20080040606A1 (en)* | 2006-04-11 | 2008-02-14 | Qualcomm Incorporated | Method and apparatus for binding multiple authentications |
| US20090037732A1 (en)* | 2007-07-23 | 2009-02-05 | Intertrust Technologies Corporation | Tethered device systems and methods |
Cited By (42)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030105952A1 (en)* | 2001-12-05 | 2003-06-05 | International Business Machines Corporation | Offload processing for security session establishment and control |
| US20030105977A1 (en)* | 2001-12-05 | 2003-06-05 | International Business Machines Corporation | Offload processing for secure data transfer |
| US20090193251A1 (en)* | 2008-01-29 | 2009-07-30 | International Business Machines Corporation | Secure request handling using a kernel level cache |
| US8335916B2 (en)* | 2008-01-29 | 2012-12-18 | International Business Machines Corporation | Secure request handling using a kernel level cache |
| US20110093938A1 (en)* | 2008-05-19 | 2011-04-21 | Nokia Corporatiion | Methods, apparatuses, and computer program products for bootstrapping device and user authentication |
| US8869252B2 (en)* | 2008-05-19 | 2014-10-21 | Nokia Corporation | Methods, apparatuses, and computer program products for bootstrapping device and user authentication |
| US20110045800A1 (en)* | 2009-08-20 | 2011-02-24 | Canon Kabushiki Kaisha | Communication system, control method therefor, base station, and computer-readable storage medium |
| US20120204027A1 (en)* | 2011-02-09 | 2012-08-09 | Samsung Electronics Co. Ltd. | Authentication method and apparatus in a communication system |
| US9306748B2 (en)* | 2011-02-09 | 2016-04-05 | Samsung Electronics Co., Ltd. | Authentication method and apparatus in a communication system |
| US9497611B2 (en) | 2011-04-26 | 2016-11-15 | Openet Telecom Ltd. | Systems and methods for enabling subscriber monitoring of telecommunications network usage and service plans |
| US9565074B2 (en) | 2011-04-26 | 2017-02-07 | Openet Telecom Ltd. | Systems, devices, and methods of orchestrating resources and services across multiple heterogeneous domains |
| US9130760B2 (en) | 2011-04-26 | 2015-09-08 | Openet Telecom Ltd | Systems, devices and methods of establishing a closed feedback control loop across multiple domains |
| US9641403B2 (en) | 2011-04-26 | 2017-05-02 | Openet Telecom Ltd. | Systems, devices and methods of decomposing service requests into domain-specific service requests |
| US8929859B2 (en) | 2011-04-26 | 2015-01-06 | Openet Telecom Ltd. | Systems for enabling subscriber monitoring of telecommunications network usage and service plans |
| US9565063B2 (en) | 2011-04-26 | 2017-02-07 | Openet Telecom Ltd. | Systems, devices and methods of synchronizing information across multiple heterogeneous networks |
| US9444692B2 (en) | 2011-04-26 | 2016-09-13 | Openet Telecom Ltd. | Systems, devices and methods of crowd-sourcing across multiple domains |
| US9450766B2 (en) | 2011-04-26 | 2016-09-20 | Openet Telecom Ltd. | Systems, devices and methods of distributing telecommunications functionality across multiple heterogeneous domains |
| US11153225B2 (en) | 2011-04-26 | 2021-10-19 | Openet Telecom Ltd. | Systems, devices and methods of decomposing service requests into domain-specific service requests |
| US10038988B2 (en) | 2011-04-26 | 2018-07-31 | Openet Telecom Ltd. | Systems for enabling subscriber monitoring of telecommunications network usage and service plans |
| US10057180B2 (en) | 2011-04-26 | 2018-08-21 | Openet Telecom Ltd. | Systems, devices and methods of decomposing service requests into domain-specific service requests |
| US9544751B2 (en) | 2011-04-26 | 2017-01-10 | Openet Telecom Ltd. | Systems for enabling subscriber monitoring of telecommunications network usage and service plans |
| US9300531B2 (en) | 2011-12-12 | 2016-03-29 | Openet Telecom Ltd. | Systems, devices, and methods of orchestration and application of business rules for real-time control of subscribers in a telecommunications operator's network |
| US9755891B2 (en) | 2011-12-12 | 2017-09-05 | Openet Telecom Ltd. | Systems, devices, and methods for generating latency bounded decisions in a telecommunications network |
| US8447273B1 (en) | 2012-01-09 | 2013-05-21 | International Business Machines Corporation | Hand-held user-aware security device |
| US9602676B2 (en) | 2012-01-27 | 2017-03-21 | Openet Telecom Ltd. | System and method for enabling interactions between a policy decision point and a charging system |
| US9173081B2 (en) | 2012-01-27 | 2015-10-27 | Openet Telecom Ltd. | System and method for enabling interactions between a policy decision point and a charging system |
| US20150139210A1 (en)* | 2012-06-29 | 2015-05-21 | Nokia Corporation | Method and apparatus for access parameter sharing |
| US9781134B2 (en) | 2012-07-24 | 2017-10-03 | Alibaba Group Holding Limited | Method and apparatus of identifying user risk |
| US20160337403A1 (en)* | 2015-05-11 | 2016-11-17 | Genesys Telecommunications Laboratories, Inc. | System and method for identity authentication |
| US9961076B2 (en)* | 2015-05-11 | 2018-05-01 | Genesys Telecommunications Laboratoreis, Inc. | System and method for identity authentication |
| US10313341B2 (en) | 2015-05-11 | 2019-06-04 | Genesys Telecommunications Laboratories, Inc. | System and method for identity authentication |
| CN105959953A (en)* | 2015-09-14 | 2016-09-21 | 杭州迪普科技有限公司 | Safety business processing method and device |
| US11388145B2 (en)* | 2016-09-12 | 2022-07-12 | Telefonaktiebolaget Lm Ericsson (Publ) | Tunneling data traffic and signaling over secure etls over wireless local area networks |
| US20190230510A1 (en)* | 2017-01-27 | 2019-07-25 | Telefonaktiebolaget Lm Ericsson (Publ) | Secondary Authentication of a User Equipment |
| US11895229B2 (en) | 2017-01-27 | 2024-02-06 | Telefonaktiebolaget Lm Ericsson (Publ) | States secondary authentication of a user equipment |
| US11575509B2 (en)* | 2017-01-27 | 2023-02-07 | Telefonaktiebolaget Lm Ericsson (Publ) | Secondary authentication of a user equipment |
| US20190149521A1 (en)* | 2017-11-16 | 2019-05-16 | Nokia Technologies Oy | Privacy managing entity selection in communication system |
| US10893026B2 (en)* | 2017-11-16 | 2021-01-12 | Nokia Technologies Oy | Privacy managing entity selection in communication system |
| US20220046024A1 (en)* | 2019-01-18 | 2022-02-10 | Vmware, Inc. | Tls policy enforcement at a tunnel gateway |
| US11792202B2 (en)* | 2019-01-18 | 2023-10-17 | Vmware, Inc. | TLS policy enforcement at a tunnel gateway |
| CN115151904A (en)* | 2020-03-04 | 2022-10-04 | Ntt通信公司 | Authentication system, communication equipment, information equipment, and authentication method |
| EP4099201A4 (en)* | 2020-03-04 | 2023-08-09 | NTT Communications Corporation | Authentication system, communication device, information device, and authentication method |
Also Published As
| Publication number | Publication date |
|---|---|
| US8341702B2 (en) | 2012-12-25 |
| US8776181B1 (en) | 2014-07-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8776181B1 (en) | Methods for authenticating and authorizing a mobile device using tunneled extensible authentication protocol | |
| EP1779293B1 (en) | Method and apparatus for determining authentication capabilities | |
| US8321670B2 (en) | Securing dynamic authorization messages | |
| US11924195B2 (en) | Onboarding an unauthenticated client device within a secure tunnel | |
| US8191124B2 (en) | Systems and methods for acquiring network credentials | |
| JP4832756B2 (en) | Method and system for performing GSM authentication during WLAN roaming | |
| CN102550001B (en) | User identity management for permitting interworking of a bootstrapping architecture and a shared identity service | |
| US8474023B2 (en) | Proactive credential caching | |
| KR101068424B1 (en) | Inter-working function for a communication system | |
| JP5497646B2 (en) | System and method for wireless network selection | |
| US20080070544A1 (en) | Systems and methods for informing a mobile node of the authentication requirements of a visited network | |
| JP5276593B2 (en) | System and method for obtaining network credentials | |
| KR20070032805A (en) | System and method for managing user authentication and authorization to realize single-sign-on for accessing multiple networks | |
| KR20080093431A (en) | Authentication Methods for Clients on a Wireless Network | |
| CN106063308A (en) | User identifier based device, identity and activity management system | |
| RU2295200C2 (en) | Method and system for gsm-authentication during roaming in wireless local networks | |
| CN101243642B (en) | Method for performing multiple pre-shared key based authentication at once and device for executing the method | |
| JP6266049B1 (en) | Information processing system, information processing method, information processing apparatus, and program | |
| KR100667186B1 (en) | Apparatus and Method for Implementing Authentication System for Wireless Mobile Terminal | |
| Mahshid et al. | An efficient and secure authentication for inter-roaming in wireless heterogeneous network | |
| Latze et al. | Strong mutual authentication in a user-friendly way in eap-tls | |
| CN1698308B (en) | Method and apparatus enabling reauthentication in a cellular communication system | |
| Maes | Master thesis: OpenRoaming: Evaluation of the potential of e-ID as an Identity Provider in the OpenRoaming federation and implementation of a prototype | |
| KR101068426B1 (en) | Interoperability for Communication Systems | |
| Thagadur Prakash | Enhancements to Secure Bootstrapping of Smart Appliances |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| AS | Assignment | Owner name:BRIDGEWATER SYSTEMC CORP., CANADA Free format text:ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:GRAZIANI, GIULIO;LI, YONG;REEL/FRAME:020706/0822 Effective date:20080326 | |
| ZAAA | Notice of allowance and fees due | Free format text:ORIGINAL CODE: NOA | |
| ZAAB | Notice of allowance mailed | Free format text:ORIGINAL CODE: MN/=. | |
| STCF | Information on status: patent grant | Free format text:PATENTED CASE | |
| FPAY | Fee payment | Year of fee payment:4 | |
| AS | Assignment | Owner name:AMDOCS CANADIAN MANAGED SERVICES INC., CANADA Free format text:MERGER;ASSIGNOR:BRIDGEWATER SYSTEMS CORPORATION;REEL/FRAME:039598/0471 Effective date:20160101 Owner name:AMDOCS DEVELOPMENT LIMITED, CYPRUS Free format text:ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:AMDOCS CANADIAN MANAGED SERVICES INC.;REEL/FRAME:039599/0930 Effective date:20160721 Owner name:AMDOCS CANADIAN MANAGED SERVICES INC., CANADA Free format text:ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:AMDOCS CANADIAN MANAGED SERVICES INC.;REEL/FRAME:039599/0930 Effective date:20160721 | |
| FEPP | Fee payment procedure | Free format text:7.5 YR SURCHARGE - LATE PMT W/IN 6 MO, LARGE ENTITY (ORIGINAL EVENT CODE: M1555); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY | |
| MAFP | Maintenance fee payment | Free format text:PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment:8 | |
| FEPP | Fee payment procedure | Free format text:MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY | |
| LAPS | Lapse for failure to pay maintenance fees | Free format text:PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY | |
| STCH | Information on status: patent discontinuation | Free format text:PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362 | |
| FP | Lapsed due to failure to pay maintenance fee | Effective date:20241225 |